Skip to main content

Dell PowerFlex Manager CVE-2026-22283

HIGH
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
2026-06-17 dell
Dell Information Disclosure Powerflex
7.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (dell) PRIMARY
HIGH
qualitative
NVD
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable with no attacker auth but requires operator interaction and non-trivial conditions (AC:H, UI:R); description scopes impact to information disclosure only, so I and A set to N.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (dell).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 15:34 vuln.today

DescriptionNVD

Dell PowerFlex Manager, version(s) Version prior to 4.8, contain(s) an Inclusion of Functionality from Untrusted Control Sphere vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure.

AnalysisAI

Information disclosure in Dell PowerFlex Manager versions prior to 4.8 stems from inclusion of functionality from an untrusted control sphere (CWE-829), allowing remote attackers to obtain sensitive data when a user is enticed into interacting with attacker-controlled content. Dell rates the issue at CVSS 7.5 with high attack complexity and required user interaction, and no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed PowerFlex Manager
Delivery
Host malicious external resource
Exploit
Lure operator to trigger inclusion
Execution
Manager loads untrusted functionality
Impact
Exfiltrate sensitive data from session
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires Dell PowerFlex Manager at a version prior to 4.8 to be reachable by the attacker over the network, and a legitimate PowerFlex Manager user must perform an interaction (UI:R in the CVSS vector) that causes the manager to include functionality from an attacker-controlled source - consistent with CWE-829. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) describes a network-reachable, unauthenticated path but with high attack complexity AND required user interaction, which significantly tempers the headline 7.5 score - successful exploitation depends on a privileged operator being induced to trigger the vulnerable flow under specific conditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts malicious content (a crafted template, link, or external resource) and lures a logged-in PowerFlex Manager operator into interacting with it - for example via a spear-phishing message referencing a storage operations task. When the operator clicks through, the management console loads attacker-influenced functionality from the untrusted source and returns sensitive data accessible in the operator's session back to the attacker.
Remediation Upgrade Dell PowerFlex Manager to version 4.8 or later as directed by Dell advisory DSA-2026-066 (https://www.dell.com/support/kbdoc/en-us/000477538/dsa-2026-066-security-update-for-powerflex-software-multiple-vulnerabilities); this is the vendor-released patch and the only confirmed remediation path. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Dell PowerFlex Manager deployments and identify systems running versions prior to 4.8. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-35065 HIGH
8.8 Jun 17

Missing authentication on a critical function in Dell PowerFlex Manager allows an adjacent-network attacker to invoke pr
CVE-2026-32804 HIGH
8.1 Jun 17

Authentication bypass in Dell PowerFlex Manager allows an unauthenticated attacker with adjacent-network access to gain

CVE-2026-49502 HIGH
8.1 Jun 17

Improper authentication in Dell PowerFlex Manager allows unauthenticated attackers with adjacent network access to bypas
CVE-2026-35069 HIGH
8.0 Jun 17

SQL injection in Dell PowerFlex Manager allows a low-privileged attacker with adjacent-network access to inject SQL comm
CVE-2026-35067 HIGH
8.0 Jun 17

Privilege escalation in Dell PowerFlex Manager allows a low-privileged attacker on an adjacent network segment to bypass

Share

CVE-2026-22283 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy